Google Releases Fixes For Many Severe Issues Including One That Phishes With An Image

Google Releases Fixes For Many Severe Issues Including One That Phishes With An Image

Published March 12, 2019

Google was busy prior to its February patch release. It fixed a total of 42 flaws related to the Android operating system, including 11 critical ones and 30 that were rated as high severity. Notably, included in this batch was a critical flaw that could potentially allow an attacker to execute code on your mobile device. Of course how it may get onto your smartphone is via phishing.

Remember never to click links or attachments in email, text, or from any other way unless you are 100% certain it’s OK to do so. Most definitely consider whether or not you should if it came unexpectedly, from someone unknown to you, or if there is any doubt what so ever of its safety. If you want to click it, place a quick phone call to the sender using a number you already know or look up on the website. In other words, don’t reply to email or use information found in those messages to verify these. The hackers are witty enough to plant their own information and if you use it, you’ll just be calling them. And of course, they will verify that you should click.

The recent set of patches addresses flaws in millions of Android devices from 7.0 Nougat to 9.0 Pie, which is the latest version. Some users may already have an update for these issues, but each carrier has to release them separately. Therefore, as soon as you see there is an update available, take a moment to apply it.

The most severe of the critical issues could allow a remote attacker to execute arbitrary code on an affected device using a phishing email and a specially crafted .PNG file.

Fortunately, there is no evidence this has been exploited, but don’t delay in updating your devices anyway.

There are a lot of benefits to using Google’s Chrome Browser. One of them; it’s generally pretty efficient at getting you where you want to go. However, a new scam has become a thorn in Chrome’s side in that area. It actually spins the browser into a tizzy and uses all of Chrome’s resources, causing the user to have to shut it down completely by forcing it to quit. But it is relentless. Merely shutting down the browser may not fix it, so don’t get caught out by this one.

In this version of the tech support scam, users see a popup claiming to be a Windows Internet Security Alert. It looks pretty authentic and even gives an alert code. But if you go to the link listed, it will put Chrome into a never-ending loop, use 100% of the computer’s resources, and keep you from closing the browser without using a forced option, such as quitting via Windows Task Manager.

Very important tip follows here: If you do end up in this tech support loop of pain and force the browser to quit, DO NOT restore your browser tabs when it re-opens. Chrome does give you that option and while it’s a very useful feature under most circumstances, this one will just put you right back into that Tilt-O-Whirl. That’s because it also opens up that scammy URL which just send you right back into that never-ending loop.

This does not happen in Firefox. It actually exploits a bug in Chrome that was reported and is being worked by Google. A fix should be out soon, if it isn’t already. If you have an indicator to update the browser, just do it.

Until then, be very careful about clicking on links in email or even those in popups that appear on your computer or mobile screens. Just because a notification states you might have malware or some other problem, doesn’t mean it’s true. Instead of clicking, close that message out and shut down your computer and completely reboot it. Once it comes back up, do a virus scan using your installed and updated anti-virus software.

And just because it’ll save you a lot of time and frustration in case you actually do manage to get some sort of malware on your computer or mobile device, make sure you do regular backups of them. This is pretty quick and simple to do. You can get an external drive to keep the data close to home, or send it to the cloud if you’re comfortable doing that. In any case, having that data backed up will be your savior should you need to restore for any reason.

Often touted by computer nerds and cybersecurity experts alike as the most secure Internet browser, Google’s Chrome is under attack by scammers. They’ve taken the infamous tech support scam, where users are tricked into giving up payment card and other details under the ruse of help for a computer problem, and created a method to “freeze” Chrome. The idea is that users panic and think they have no choice but to call the number on a popup dialogue box for help.

Never fear though. It is indeed a clever trick. First, a message appears that some type of problem occurred and the ISP blocked the offending computer. Your Facebook login is, according to the alert, being stolen, your payment card details are being stolen, and other scary things are happening. Then, they “freeze” the browser by sending thousands of files super quickly so that Chrome doesn’t have a chance to react. The users think they have a problem, but in fact this is just using up resources and causing a halt to the browser. So far, it seems to be hitting Windows users on Chrome version 64.0.3282.140.

The scammers leave a “convenient” toll free number to call for help, but don’t. Instead, close the box if possible. If that doesn’t work, there is another way to make it close. Just go to the Windows Task Manager (usually this can be done by holding control-alt-delete) and stop the Chrome browser. Yes, you’ll lose anything you haven’t saved, but isn’t that better than getting scammed?

If you are on a MacOS, this technique can still work. In that case, go to the Apple menu and do a force quit of the Chrome browser.

If these don’t work (although there is no reason to believe they won’t), restart your computer.

To avoid getting these and other types of annoying popups, consider using ad-blocking software. There are several to choose from, regardless of your operating system. Some cost some dough and others are donation-based. Some are even freebies. There is something that will work for you. Just research the options and make sure it isn’t malware too.

The reason to consider these is because malware is often delivered in online advertisements. If the ads are blocked, there is a lot less risk of getting an infection.

Also make sure your devices are kept updated with the latest versions of all the software and especially with the most recent security patches. This can also lessen your risk of getting hit by malware or another type of attack.

The Malwarebytes researchers did not test this on Linux, but there is no reason to doubt that this or some similar method will work on it. This particular attack seems to target Chrome only. However, it’s only a matter of time before someone modifies it to work on other browsers. Always keep those updated too.

If you haven’t heard of Google’s new product for helping to protect Android users, it’s called Google Play Protect. And it now has identified malware, called Tizi, that has infected targets across the world. It is spyware and gets to your Android device through an app advertised on social media and third-party app stores. Once it’s installed, it will gladly grab your personal data from apps such as Facebook, Twitter, WhatsApp, Linked, Skype, and others.

It also exploits several vulnerabilities from several years ago. So, make sure you take some time to update your devices and apps so that they are not open to this exploit.

It can also do a whole host of other tasks that won’t make users happy:

Record audio and take photos without the user knowing what’s happening.

Always check the permissions for any app that you install. If it’s a flashlight app, for example, it doesn’t need access to your camera or microphone. And it is a very rare case indeed that an app needs administrator access to any device. If this is granted, whoever is controlling the malware can have full access to do whatever he or she want on the device.

Make sure Google Play Protect is enabled on Android devices. It began rolling out to users running Play Services 11 and above back in July. It should be available to nearly all versions that are supported by now.

Don’t sideload applications from third-party sites. Stick to the official Google Play store.

Ensure security software is installed on your devices and keep it updated at all times.

Sometimes people feel Google is the big, bad, data-collecting wolf. Other times, it uses the data from billions of scanned emails, apps, and web pages for good. In this case, it used data about phishing websites to create a predictive phishing feature for its Chrome browser. However, this technology should never be an excuse to let your guard down. Phishing scammers are more sophisticated than ever, and they certainly won’t quit just because of some new technology.

Google has included this functionality it its Safe-Browsing filter, which is also used by Apple and Mozilla for their products. It scans for malicious web pages and sends off a warning to users when they try to visit one of them. While this is all fine and dandy, there are still malicious websites that go up constantly that don’t immediately get detected. That’s why you always must watch for these attacks yourselves.

If you receive an email, text message, or phone call from someone that is unsolicited or unexpected, be wary of any information requested. If it’s in the form of a link or attachment, don’t immediately click. If it’s a phone call, don’t give personal information without separately verifying the source. This means, finding a phone number from the company’s website or other means. Don’t return calls to numbers included in email messages or given by a caller if these are unexpected and don’t reply to suspicious email messages.

Don’t fall for threats. If someone calls claiming you will be fined, arrested, or even deported for not complying with a request, it’s likely a scam.

If there is a sense of urgency that you must verify information right away by clicking a link or filling in a form, it’s likely a scam. Go into any online accounts by heading over directly to the company’s website and logging in to your account. It’s handy to bookmark frequently visited websites, especially for financial and healthcare related accounts so that you don’t mistype them and become a victim of a typosquatter.

Google is constantly using the data it collects to improve the overall internet experience for users. But don’t count on any company or product to look out for you 100%. No one product will ever be able to filter out threats completely. Being aware of ongoing threats and listening to that sixth sense is invaluable as well.

It’s becoming more the opinion of cybersecurity experts that using even a complex password for online accounts is no longer adequate to protect our information. Passwords continue to be reused across multiple sites and getting a text message with a one-time code isn't always an option. Google wanted to find out the best multi-factor authentication (MFA) method that covered these weaknesses and in a two year study of over 50,000 of its own employees found that using a tiny security key in addition to a password was the best option for this.

A U2F key (universal second factor) is a small device, about the size of a normal house key that is inserted into your computer’s USB slot. It provides a “cryptographic assertion” that is very difficult, if not impossible to crack or phish when it’s active. It’s better than text codes for various reasons, but one is because sometimes a text sent to a smartphone just isn’t an option. For example, if you travel you may not have access to receive text messages; your battery may be dead; or something else may prevent you from receiving a text code.

In addition, even these one-time codes can be phished or intercepted by cyberthieves. Smartcards are another MFA solution, but they require some additional hardware or a dedicated computer to work. That eliminates it for our “on-the-go” society as a reasonable solution. Google found the keys to be the best solution because they are easy for the end users to use, the technology is easy for developers to integrate into websites and hardware, and they are really small and lightweight. They fit on a keychain or in your wallet.

For $15-50, anyone can get one of these U2F keys. It just depends on what sites you use with them as to which works for you. Several manufacturers make them and more and more sites are supporting them all the time. Google, Dropbox, Salesforce, LastPass, and recently announced, Facebook all support it. Facebook is an important one. How many times do you create an account that allows you to log in using your Facebook account? Although, using that account to log into other sites is not normally recommended, if you have the security key as well, it’s much more secure if you do.

Chrome and Opera browsers have supported the U2F technology for a while and Firefox has been since the end of 2016. While there are keys available that do support near field communication (NFC) technology such as RFID, most mobile sites are not yet supporting U2F. This is soon to come, however.

Another bonus of using a security key to log into sites such as Facebook? If you don’t get the request to insert your key, it’s easier to see that it might be a phishing attack. That’s a good argument for these little devices. After all, phishing is still the most common way that credentials get stolen or malware lands on devices.

We use cookies to give you a more relevant browsing experience and improve our website. Using this site means that you agree with our use of cookies policy.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

This Privacy Policy applies to and is provided on behalf of Stickley on Security. (collectively referred to as "We", "Us", or "Our") and describes Our information gathering
practices and policies in connection with this Site. We value your ("User", "You", or "Your") privacy and recognize the sensitivity of Your personal information. We are
committed to protecting Your personal information and using it only as appropriate to provide You with the best possible service, products, and opportunities. Use of this
Site constitutes consent to Our collection and use of personal data as outlined herein.

COLLECTION AND USE OF PERSONAL INFORMATION FROM SITE USERS

We collect personally identifiable information from Users who provide it to us for billing purposes. For example, We collect Your name, street address, city, state, zip
code, telephone number, email address, and financial information, such as a credit card number, if You use the Site to register or renew a license. We may use this
information to contact You regarding the status of Your account and orders placed, and to alert You to new information, products and services, events and other
opportunities. We recognize that You may wish to limit the ways in which You are contacted and provide You with opt-out options below. Information about Our experiences and
transactions with you, such as your payment history, types of services and/or products you purchased are not shared with organizations outside of Stickley on Security.

We will not disclose to third parties (that is, people and companies that are not affiliated with Us) individually identifying information, such as names, postal and e-mail
addresses, telephone numbers, and other personal information, except to the extent that it is necessary to process and provide You with Your order, license request or
other request. Your contact information may also be provided to the extent necessary to comply with applicable laws or legal processes (e.g., subpoenas), or to meet contractual obligations outlined in this policy, or to protect Our
rights or property. We will cooperate with all law enforcement authorities.

If Your order, license request or other request is processed by a third-party, or if You are provided with bulletin boards and chat rooms and/or email capabilities on
this Site, please note that in the event that You voluntarily disclose personally identifiable information in those instances, that information, along with any substantive
information disclosed in Your communication or post, can be collected, correlated and used by third parties. This may result in unsolicited messages from third parties. Such
activities are beyond Our control, and We encourage You to check the applicable privacy policy of such party when providing personally identifiable information.

For each visitor to this Site, Our server can detect and collect certain information, including the User's domain name and e-mail address, and can identify the Web pages the
User visited or accessed. We may use this information in order to measure interest in and use of the various areas of the site.

We do not knowingly solicit information from children and We do not knowingly market the Site or its services to children.

OPT-OUT

You may at any time opt out of having Your personal information used by Us to send You promotional correspondence by contacting Us via e-mail provided in the "Contact Us"
section below.

PROMOTION CODES

"Promotion codes" are offered by third-party affiliates of the Stickley on Security Training Videos. If you choose to include a "Promotion Code" when placing your order, the affiliate who is associated with that promotional code will receive your organizations name. They will NOT however receive any other information related to your account. The sharing of the organization name only applies when a "Promotion Code" is included during the order process.

USE OF COOKIES

1. First-party cookies
User input cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session, or persistent cookies limited to the duration of an operation such as purchase or trial;
User identification persistent cookies, to identify the user visited the website for the first time;
Authentication cookies, to identify the user once he has logged in, for the duration of a session;
user interface customization cookies such as time zone and shopping cart status info, for the duration of a session (or slightly longer).

2. Third-party cookies
social plug in content sharing cookies, for logged in members of a social network;
Google Analytics cookies to generate statistical data on how the visitor uses the website.

How do we use them?
Where strictly necessary. These cookies and other technologies are essential in order to enable the Services to provide the feature you have requested, such as remembering you have logged in.

For functionality. These cookies and similar technologies remember choices you make such as time zone and shopping cart info. We use these cookies to provide you with an experience more appropriate with your selections and to make your use of the Services more tailored.

For performance and analytics. These cookies and similar technologies collect information on how users interact with the Services and enable us to improve how the Services operate. For example, we use Google Analytics cookies to help us understand how visitors arrive at and browse our products, services and website to identify areas for improvement such as navigation, user experience, and marketing campaigns.

Social media cookies. These cookies are used when you share information using a social media sharing button or .like. button on our websites or you link your account or engage with our content on or through a social media site. The social network will record that you have done this. This information may be linked to targeting/advertising activities.

How can you opt-out?
To opt-out of our use of cookies, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. If you do not accept cookies, however, you may not be able to use our Services.

Updates to this Cookie Policy
This Cookie Policy may be updated from time to time. If we make any changes, we will notify you by revising the "effective starting" date at the top of this notice.

INFORMATION SECURITY AND CONFIDENTIALITY

We maintain physical, electronic and procedural safeguards to prevent the unauthorized release of or access to Your personal information. When We transfer and receive
certain types of sensitive information such as financial information, We redirect visitors to a secure server. We do not store or reuse Your credit card information. We do
not record or manager financial information about You (including credit card and other payment information). However, such precautions do not guarantee that this Site is
invulnerable to all security breaks. We make no warranty, guarantee, or representation that the use of this Site is protected from viruses, security threats, or other
vulnerabilities and that Your information will always be secure. We cannot guarantee the confidentiality of any communication or material transmitted to/from Us via the Site
or e-mail. Use of the Internet is solely at Your own risk and is subject to all applicable local, state, federal, and international laws and regulations.

THIRD PARTY PROCESSING

Stickley on Security uses the vendor Authorize.net to process all payment transactions. When making a purchase on this site, You also accept the Terms and Conditions and
Privacy Policy of Authorize.net.

CONTACT US

This Privacy Policy may be updated periodically and posted on this Site. It applies only to Our online practices and does not encompass other areas of the organization. We
reserve the right to change this Policy at any time by posting revisions. By accessing or using the Site, You agree to be bound by all of the Terms of this Privacy Policy as
posted at the time of Your access or use. We reserve the right to contact Users of the Site regarding changes to the Terms and Conditions generally, this Privacy Policy
specifically, or any other policies or agreements relevant to the Site's Users. If You have any questions about this Policy, You may email to:

Keep up with the latest cyber security news through our weekly Fraud News & Alerts updates.
Each week you will receive an email containing the latest cyber security news, tips and breach notifications.

Simply complete the form below and you're all set.

You're all set!

You will receive your first official security update email within the next week.
A welcome email has also just been sent to you. If you do not receive this email within the next few minutes, please check your Junk box or spam filter to confirm our emails are not being blocked.